71e4c7e65494470f13c9abe7d722584fcc6c9480637d76bbef0d65f3059c9e24

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe
Size

28KB
MD5

ee83e943c3fdc8891002e9f911600e92
SHA1

aafb614c834192395a19d9563c9f2b4d5a51deac
SHA256

71e4c7e65494470f13c9abe7d722584fcc6c9480637d76bbef0d65f3059c9e24
SHA512

d0358103cd84ff1fcd6d804a8f336f35bd1555e0835b82ab5ed8a9c2fee30846c23a02a97135b9978ff6e34fbc5f5e71e99f30e8cf4da3c470aca00bf0c73c95
SSDEEP

192:2MN21a9pS7na9SVSi2dNA4YL8fzh1zZoRQyJATDzk+9zHJ/uSrApwdP1oyn/AiOy:2WJ87n2FNOuV7I+DugApwJ1RAijK4Tq

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4488	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4488	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4856	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe
4856	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 3540	4856	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	82
PID 4856 wrote to memory of 3540	4856	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	82
PID 4856 wrote to memory of 3540	4856	ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe	82
PID 3540 wrote to memory of 4488	3540	cmd.exe	84
PID 3540 wrote to memory of 4488	3540	cmd.exe	84
PID 3540 wrote to memory of 4488	3540	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee83e943c3fdc8891002e9f911600e92_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\10044.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\PING.EXE
    ping www.baidu.com
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10044.bat

Filesize
111B

MD5
5fdebace80957bbb97d08320e4768548

SHA1
59330f62431f89e4775f099909102e8a19c6e716

SHA256
aba8430107a6b9f89345566ab3bce5a6b29ab6c279dfae7734749215f27e7bf9

SHA512
4f6841e64dd5adce3f011906155756c20f7003148cf9fb5592b7e8c1a3d1dccd33d32238a28cf94bdc7817d2bc50134474d02fd06324e06ef57ad387dbbdd30e

Download Submit